Citi Fined by Connecticut for Online Security Breach

The Connecticut attorney general’s office said hackers exploited a vulnerability that the bank knew about long before the breach.

Citibank will have to pay a $55,000 fine resulting from a breach of Citibank’s online operations in 2011 after a joint, a statement from the Connecticut attorney general’s office released yesterday said. Citi will also have to undergo an audit by a third-party to evaluate the security of its Account Online web service, the statement added.

This decision comes after a joint investigation by the Connecticut and California attorney generals’s offices found that the hackers took advantage of a vulnerability that was known to the bank to access customers’s accounts. The hackers accessed the Account Online service with a username and password, and then were able to access other accounts by simply changing some characters in the resulting URL when they logged in. The bank knew of this vulnerability going back to 2008, the attorney general’s statement alleged.

The statement also said that the bank discovered the breach on May 10, 2011 but did not permanently repair the vulnerability until May 27, 2011, and failed to notify customers of the breach until June 3.

The breach allowed the hackers to access the account information of more than 360,000 Citibank customers, according to the statement. Media reports place the amount of money stolen in the breach at around $2.7 million.

Citi agreed to the audit as part of the settlement and also agreed to offer two years of free credit monitoring to any Connecticut customers affected by the breach. The settlement is not final yet until it receives court approval.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

At least financial institutions are being held accountable for their breaches. I think it will only encourage better practices in the future. Otherwise, there may not be any motivation to really invest money to address prevention.

A fine and an audit are pretty typical for this sort of thing. The size of the fine can differ case-to-case, but I'm probably not in a position to say what would have been a "fair" fine. It's important to note as well that Citi will have to pay for the third-party audit as well.